Context Navigation

source: vendor/3.6.9/source3/libads/kerberos_keytab.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 21.7 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	kerberos keytab utility library
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001
6	Copyright (C) Luke Howard 2003
7	Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8	Copyright (C) Guenther Deschner 2003
9	Copyright (C) Rakesh Patel 2004
10	Copyright (C) Dan Perry 2004
11	Copyright (C) Jeremy Allison 2004
12	Copyright (C) Gerald Carter 2006
13
14	This program is free software; you can redistribute it and/or modify
15	it under the terms of the GNU General Public License as published by
16	the Free Software Foundation; either version 3 of the License, or
17	(at your option) any later version.
18
19	This program is distributed in the hope that it will be useful,
20	but WITHOUT ANY WARRANTY; without even the implied warranty of
21	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22	GNU General Public License for more details.
23
24	You should have received a copy of the GNU General Public License
25	along with this program. If not, see <http://www.gnu.org/licenses/>.
26	*/
27
28	#include "includes.h"
29	#include "smb_krb5.h"
30	#include "ads.h"
31	#include "secrets.h"
32
33	#ifdef HAVE_KRB5
34
35	/**********************************************************************
36	**********************************************************************/
37
38	static krb5_error_code seek_and_delete_old_entries(krb5_context context,
39	krb5_keytab keytab,
40	krb5_kvno kvno,
41	const char *princ_s,
42	krb5_principal princ,
43	bool flush,
44	bool keep_old_entries)
45	{
46	krb5_error_code ret;
47	krb5_kt_cursor cursor;
48	krb5_kt_cursor zero_csr;
49	krb5_keytab_entry kt_entry;
50	krb5_keytab_entry zero_kt_entry;
51	char *ktprinc = NULL;
52
53	ZERO_STRUCT(cursor);
54	ZERO_STRUCT(zero_csr);
55	ZERO_STRUCT(kt_entry);
56	ZERO_STRUCT(zero_kt_entry);
57
58	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
59	if (ret == KRB5_KT_END \|\| ret == ENOENT ) {
60	/* no entries */
61	return 0;
62	}
63
64	DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
65	while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
66	bool name_ok = False;
67
68	if (!flush && (princ_s != NULL)) {
69	ret = smb_krb5_unparse_name(talloc_tos(), context,
70	kt_entry.principal,
71	&ktprinc);
72	if (ret) {
73	DEBUG(1, (__location__
74	": smb_krb5_unparse_name failed "
75	"(%s)\n", error_message(ret)));
76	goto out;
77	}
78
79	#ifdef HAVE_KRB5_KT_COMPARE
80	name_ok = krb5_kt_compare(context, &kt_entry,
81	princ, 0, 0);
82	#else
83	name_ok = (strcmp(ktprinc, princ_s) == 0);
84	#endif
85
86	if (!name_ok) {
87	DEBUG(10, (__location__ ": ignoring keytab "
88	"entry principal %s, kvno = %d\n",
89	ktprinc, kt_entry.vno));
90
91	/* Not a match,
92	* just free this entry and continue. */
93	ret = smb_krb5_kt_free_entry(context,
94	&kt_entry);
95	ZERO_STRUCT(kt_entry);
96	if (ret) {
97	DEBUG(1, (__location__
98	": smb_krb5_kt_free_entry "
99	"failed (%s)\n",
100	error_message(ret)));
101	goto out;
102	}
103
104	TALLOC_FREE(ktprinc);
105	continue;
106	}
107
108	TALLOC_FREE(ktprinc);
109	}
110
111	/*------------------------------------------------------------
112	* Save the entries with kvno - 1. This is what microsoft does
113	* to allow people with existing sessions that have kvno - 1
114	* to still work. Otherwise, when the password for the machine
115	* changes, all kerberizied sessions will 'break' until either
116	* the client reboots or the client's session key expires and
117	* they get a new session ticket with the new kvno.
118	*/
119
120	if (!flush && (kt_entry.vno == kvno - 1)) {
121	DEBUG(5, (__location__ ": Saving previous (kvno %d) "
122	"entry for principal: %s.\n",
123	kvno - 1, princ_s));
124	continue;
125	}
126
127	if (keep_old_entries) {
128	DEBUG(5, (__location__ ": Saving old (kvno %d) "
129	"entry for principal: %s.\n",
130	kvno, princ_s));
131	continue;
132	}
133
134	DEBUG(5, (__location__ ": Found old entry for principal: %s "
135	"(kvno %d) - trying to remove it.\n",
136	princ_s, kt_entry.vno));
137
138	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
139	ZERO_STRUCT(cursor);
140	if (ret) {
141	DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
142	"failed (%s)\n", error_message(ret)));
143	goto out;
144	}
145	ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
146	if (ret) {
147	DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
148	"failed (%s)\n", error_message(ret)));
149	goto out;
150	}
151
152	DEBUG(5, (__location__ ": removed old entry for principal: "
153	"%s (kvno %d).\n", princ_s, kt_entry.vno));
154
155	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
156	if (ret) {
157	DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
158	"(%s)\n", error_message(ret)));
159	goto out;
160	}
161	ret = smb_krb5_kt_free_entry(context, &kt_entry);
162	ZERO_STRUCT(kt_entry);
163	if (ret) {
164	DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
165	"failed (%s)\n", error_message(ret)));
166	goto out;
167	}
168	}
169
170	out:
171	if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
172	smb_krb5_kt_free_entry(context, &kt_entry);
173	}
174	if (keytab) {
175	if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
176	krb5_kt_end_seq_get(context, keytab, &cursor);
177	}
178	}
179
180	return ret;
181	}
182
183	static int smb_krb5_kt_add_entry(krb5_context context,
184	krb5_keytab keytab,
185	krb5_kvno kvno,
186	const char *princ_s,
187	krb5_enctype *enctypes,
188	krb5_data password,
189	bool no_salt,
190	bool keep_old_entries)
191	{
192	krb5_error_code ret;
193	krb5_keytab_entry kt_entry;
194	krb5_principal princ = NULL;
195	int i;
196
197	ZERO_STRUCT(kt_entry);
198
199	ret = smb_krb5_parse_name(context, princ_s, &princ);
200	if (ret) {
201	DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
202	"failed (%s)\n", princ_s, error_message(ret)));
203	goto out;
204	}
205
206	/* Seek and delete old keytab entries */
207	ret = seek_and_delete_old_entries(context, keytab, kvno,
208	princ_s, princ, false,
209	keep_old_entries);
210	if (ret) {
211	goto out;
212	}
213
214	/* If we get here, we have deleted all the old entries with kvno's
215	* not equal to the current kvno-1. */
216
217	/* Now add keytab entries for all encryption types */
218	for (i = 0; enctypes[i]; i++) {
219	krb5_keyblock *keyp;
220
221	keyp = KRB5_KT_KEY(&kt_entry);
222
223	if (create_kerberos_key_from_string(context, princ,
224	&password, keyp,
225	enctypes[i], no_salt)) {
226	continue;
227	}
228
229	kt_entry.principal = princ;
230	kt_entry.vno = kvno;
231
232	DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
233	"encryption type (%d) and version (%d)\n",
234	princ_s, enctypes[i], kt_entry.vno));
235	ret = krb5_kt_add_entry(context, keytab, &kt_entry);
236	krb5_free_keyblock_contents(context, keyp);
237	ZERO_STRUCT(kt_entry);
238	if (ret) {
239	DEBUG(1, (__location__ ": adding entry to keytab "
240	"failed (%s)\n", error_message(ret)));
241	goto out;
242	}
243	}
244
245	out:
246	if (princ) {
247	krb5_free_principal(context, princ);
248	}
249
250	return (int)ret;
251	}
252
253	/**********************************************************************
254	Adds a single service principal, i.e. 'host' to the system keytab
255	***********************************************************************/
256
257	int ads_keytab_add_entry(ADS_STRUCT ads, const char srvPrinc)
258	{
259	krb5_error_code ret = 0;
260	krb5_context context = NULL;
261	krb5_keytab keytab = NULL;
262	krb5_data password;
263	krb5_kvno kvno;
264	krb5_enctype enctypes[4] = {
265	ENCTYPE_DES_CBC_CRC,
266	ENCTYPE_DES_CBC_MD5,
267	ENCTYPE_ARCFOUR_HMAC,
268	0
269	};
270	char *princ_s = NULL;
271	char *short_princ_s = NULL;
272	char *password_s = NULL;
273	char *my_fqdn;
274	TALLOC_CTX *tmpctx = NULL;
275	char *machine_name;
276	ADS_STATUS aderr;
277
278	initialize_krb5_error_table();
279	ret = krb5_init_context(&context);
280	if (ret) {
281	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
282	error_message(ret)));
283	return -1;
284	}
285
286	ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
287	if (ret) {
288	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
289	error_message(ret)));
290	goto out;
291	}
292
293	/* retrieve the password */
294	if (!secrets_init()) {
295	DEBUG(1, (__location__ ": secrets_init failed\n"));
296	ret = -1;
297	goto out;
298	}
299	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
300	if (!password_s) {
301	DEBUG(1, (__location__ ": failed to fetch machine password\n"));
302	ret = -1;
303	goto out;
304	}
305	ZERO_STRUCT(password);
306	password.data = password_s;
307	password.length = strlen(password_s);
308
309	/* we need the dNSHostName value here */
310	tmpctx = talloc_init(__location__);
311	if (!tmpctx) {
312	DEBUG(0, (__location__ ": talloc_init() failed!\n"));
313	ret = -1;
314	goto out;
315	}
316
317	my_fqdn = ads_get_dnshostname(ads, tmpctx, global_myname());
318	if (!my_fqdn) {
319	DEBUG(0, (__location__ ": unable to determine machine "
320	"account's dns name in AD!\n"));
321	ret = -1;
322	goto out;
323	}
324
325	machine_name = ads_get_samaccountname(ads, tmpctx, global_myname());
326	if (!machine_name) {
327	DEBUG(0, (__location__ ": unable to determine machine "
328	"account's short name in AD!\n"));
329	ret = -1;
330	goto out;
331	}
332	/strip the trailing '$' /
333	machine_name[strlen(machine_name)-1] = '\0';
334
335	/* Construct our principal */
336	if (strchr_m(srvPrinc, '@')) {
337	/* It's a fully-named principal. */
338	princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
339	if (!princ_s) {
340	ret = -1;
341	goto out;
342	}
343	} else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
344	/* It's the machine account, as used by smbclient clients. */
345	princ_s = talloc_asprintf(tmpctx, "%s@%s",
346	srvPrinc, lp_realm());
347	if (!princ_s) {
348	ret = -1;
349	goto out;
350	}
351	} else {
352	/* It's a normal service principal. Add the SPN now so that we
353	* can obtain credentials for it and double-check the salt value
354	* used to generate the service's keys. */
355
356	princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
357	srvPrinc, my_fqdn, lp_realm());
358	if (!princ_s) {
359	ret = -1;
360	goto out;
361	}
362	short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
363	srvPrinc, machine_name,
364	lp_realm());
365	if (!princ_s) {
366	ret = -1;
367	goto out;
368	}
369
370	/* According to http://support.microsoft.com/kb/326985/en-us,
371	certain principal names are automatically mapped to the
372	host/... principal in the AD account.
373	So only create these in the keytab, not in AD. --jerry */
374
375	if (!strequal(srvPrinc, "cifs") &&
376	!strequal(srvPrinc, "host")) {
377	DEBUG(3, (__location__ ": Attempting to add/update "
378	"'%s'\n", princ_s));
379
380	aderr = ads_add_service_principal_name(ads,
381	global_myname(), my_fqdn, srvPrinc);
382	if (!ADS_ERR_OK(aderr)) {
383	DEBUG(1, (__location__ ": failed to "
384	"ads_add_service_principal_name.\n"));
385	goto out;
386	}
387	}
388	}
389
390	kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
391	if (kvno == -1) {
392	/* -1 indicates failure, everything else is OK */
393	DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
394	"determine the system's kvno.\n"));
395	ret = -1;
396	goto out;
397	}
398
399	/* add the fqdn principal to the keytab */
400	ret = smb_krb5_kt_add_entry(context, keytab, kvno,
401	princ_s, enctypes, password,
402	false, false);
403	if (ret) {
404	DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
405	goto out;
406	}
407
408	/* add the short principal name if we have one */
409	if (short_princ_s) {
410	ret = smb_krb5_kt_add_entry(context, keytab, kvno,
411	short_princ_s, enctypes, password,
412	false, false);
413	if (ret) {
414	DEBUG(1, (__location__
415	": Failed to add short entry to keytab\n"));
416	goto out;
417	}
418	}
419
420	out:
421	TALLOC_FREE(tmpctx);
422
423	if (keytab) {
424	krb5_kt_close(context, keytab);
425	}
426	if (context) {
427	krb5_free_context(context);
428	}
429	return (int)ret;
430	}
431
432	/**********************************************************************
433	Flushes all entries from the system keytab.
434	***********************************************************************/
435
436	int ads_keytab_flush(ADS_STRUCT *ads)
437	{
438	krb5_error_code ret = 0;
439	krb5_context context = NULL;
440	krb5_keytab keytab = NULL;
441	krb5_kvno kvno;
442	ADS_STATUS aderr;
443
444	initialize_krb5_error_table();
445	ret = krb5_init_context(&context);
446	if (ret) {
447	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
448	error_message(ret)));
449	return ret;
450	}
451
452	ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
453	if (ret) {
454	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
455	error_message(ret)));
456	goto out;
457	}
458
459	kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
460	if (kvno == -1) {
461	/* -1 indicates a failure */
462	DEBUG(1, (__location__ ": Error determining the kvno.\n"));
463	goto out;
464	}
465
466	/* Seek and delete old keytab entries */
467	ret = seek_and_delete_old_entries(context, keytab, kvno,
468	NULL, NULL, true, false);
469	if (ret) {
470	goto out;
471	}
472
473	aderr = ads_clear_service_principal_names(ads, global_myname());
474	if (!ADS_ERR_OK(aderr)) {
475	DEBUG(1, (__location__ ": Error while clearing service "
476	"principal listings in LDAP.\n"));
477	goto out;
478	}
479
480	out:
481	if (keytab) {
482	krb5_kt_close(context, keytab);
483	}
484	if (context) {
485	krb5_free_context(context);
486	}
487	return ret;
488	}
489
490	/**********************************************************************
491	Adds all the required service principals to the system keytab.
492	***********************************************************************/
493
494	int ads_keytab_create_default(ADS_STRUCT *ads)
495	{
496	krb5_error_code ret = 0;
497	krb5_context context = NULL;
498	krb5_keytab keytab = NULL;
499	krb5_kt_cursor cursor;
500	krb5_keytab_entry kt_entry;
501	krb5_kvno kvno;
502	int i, found = 0;
503	char sam_account_name, upn;
504	char *oldEntries = NULL, princ_s[26];
505	TALLOC_CTX *tmpctx = NULL;
506	char *machine_name;
507
508	/* these are the main ones we need */
509	ret = ads_keytab_add_entry(ads, "host");
510	if (ret != 0) {
511	DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
512	"adding 'host' principal.\n"));
513	return ret;
514	}
515
516
517	#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
518	really needs them and we will fall back to verifying against
519	secrets.tdb */
520
521	ret = ads_keytab_add_entry(ads, "cifs"));
522	if (ret != 0 ) {
523	DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
524	"adding 'cifs'.\n"));
525	return ret;
526	}
527	#endif
528
529	memset(princ_s, '\0', sizeof(princ_s));
530	ZERO_STRUCT(kt_entry);
531	ZERO_STRUCT(cursor);
532
533	initialize_krb5_error_table();
534	ret = krb5_init_context(&context);
535	if (ret) {
536	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
537	error_message(ret)));
538	return ret;
539	}
540
541	tmpctx = talloc_init(__location__);
542	if (!tmpctx) {
543	DEBUG(0, (__location__ ": talloc_init() failed!\n"));
544	ret = -1;
545	goto done;
546	}
547
548	machine_name = talloc_strdup(tmpctx, global_myname());
549	if (!machine_name) {
550	ret = -1;
551	goto done;
552	}
553
554	/* now add the userPrincipalName and sAMAccountName entries */
555	sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
556	if (!sam_account_name) {
557	DEBUG(0, (__location__ ": unable to determine machine "
558	"account's name in AD!\n"));
559	ret = -1;
560	goto done;
561	}
562
563	/* upper case the sAMAccountName to make it easier for apps to
564	know what case to use in the keytab file */
565	strupper_m(sam_account_name);
566
567	ret = ads_keytab_add_entry(ads, sam_account_name);
568	if (ret != 0) {
569	DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
570	"while adding sAMAccountName (%s)\n",
571	sam_account_name));
572	goto done;
573	}
574
575	/* remember that not every machine account will have a upn */
576	upn = ads_get_upn(ads, tmpctx, machine_name);
577	if (upn) {
578	ret = ads_keytab_add_entry(ads, upn);
579	if (ret != 0) {
580	DEBUG(1, (__location__ ": ads_keytab_add_entry() "
581	"failed while adding UPN (%s)\n", upn));
582	goto done;
583	}
584	}
585
586	/* Now loop through the keytab and update any other existing entries */
587	kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
588	if (kvno == -1) {
589	DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
590	"determine the system's kvno.\n"));
591	goto done;
592	}
593
594	DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
595	"and update.\n"));
596
597	ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
598	if (ret) {
599	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
600	error_message(ret)));
601	goto done;
602	}
603
604	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
605	if (ret != KRB5_KT_END && ret != ENOENT ) {
606	while ((ret = krb5_kt_next_entry(context, keytab,
607	&kt_entry, &cursor)) == 0) {
608	smb_krb5_kt_free_entry(context, &kt_entry);
609	ZERO_STRUCT(kt_entry);
610	found++;
611	}
612	}
613	krb5_kt_end_seq_get(context, keytab, &cursor);
614	ZERO_STRUCT(cursor);
615
616	/*
617	* Hmmm. There is no "rewind" function for the keytab. This means we
618	* have a race condition where someone else could add entries after
619	* we've counted them. Re-open asap to minimise the race. JRA.
620	*/
621	DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
622	if (!found) {
623	goto done;
624	}
625
626	oldEntries = talloc_array(tmpctx, char *, found);
627	if (!oldEntries) {
628	DEBUG(1, (__location__ ": Failed to allocate space to store "
629	"the old keytab entries (talloc failed?).\n"));
630	ret = -1;
631	goto done;
632	}
633	memset(oldEntries, '\0', found * sizeof(char *));
634
635	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
636	if (ret == KRB5_KT_END \|\| ret == ENOENT) {
637	krb5_kt_end_seq_get(context, keytab, &cursor);
638	ZERO_STRUCT(cursor);
639	goto done;
640	}
641
642	while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
643	if (kt_entry.vno != kvno) {
644	char *ktprinc = NULL;
645	char *p;
646
647	/* This returns a malloc'ed string in ktprinc. */
648	ret = smb_krb5_unparse_name(oldEntries, context,
649	kt_entry.principal,
650	&ktprinc);
651	if (ret) {
652	DEBUG(1, (__location__
653	": smb_krb5_unparse_name failed "
654	"(%s)\n", error_message(ret)));
655	goto done;
656	}
657	/*
658	* From looking at the krb5 source they don't seem to
659	* take locale or mb strings into account.
660	* Maybe this is because they assume utf8 ?
661	* In this case we may need to convert from utf8 to
662	* mb charset here ? JRA.
663	*/
664	p = strchr_m(ktprinc, '@');
665	if (p) {
666	*p = '\0';
667	}
668
669	p = strchr_m(ktprinc, '/');
670	if (p) {
671	*p = '\0';
672	}
673	for (i = 0; i < found; i++) {
674	if (!oldEntries[i]) {
675	oldEntries[i] = ktprinc;
676	break;
677	}
678	if (!strcmp(oldEntries[i], ktprinc)) {
679	TALLOC_FREE(ktprinc);
680	break;
681	}
682	}
683	if (i == found) {
684	TALLOC_FREE(ktprinc);
685	}
686	}
687	smb_krb5_kt_free_entry(context, &kt_entry);
688	ZERO_STRUCT(kt_entry);
689	}
690	ret = 0;
691	for (i = 0; oldEntries[i]; i++) {
692	ret \|= ads_keytab_add_entry(ads, oldEntries[i]);
693	TALLOC_FREE(oldEntries[i]);
694	}
695	krb5_kt_end_seq_get(context, keytab, &cursor);
696	ZERO_STRUCT(cursor);
697
698	done:
699	TALLOC_FREE(oldEntries);
700	TALLOC_FREE(tmpctx);
701
702	{
703	krb5_keytab_entry zero_kt_entry;
704	ZERO_STRUCT(zero_kt_entry);
705	if (memcmp(&zero_kt_entry, &kt_entry,
706	sizeof(krb5_keytab_entry))) {
707	smb_krb5_kt_free_entry(context, &kt_entry);
708	}
709	}
710	{
711	krb5_kt_cursor zero_csr;
712	ZERO_STRUCT(zero_csr);
713	if ((memcmp(&cursor, &zero_csr,
714	sizeof(krb5_kt_cursor)) != 0) && keytab) {
715	krb5_kt_end_seq_get(context, keytab, &cursor);
716	}
717	}
718	if (keytab) {
719	krb5_kt_close(context, keytab);
720	}
721	if (context) {
722	krb5_free_context(context);
723	}
724	return ret;
725	}
726
727	/**********************************************************************
728	List system keytab.
729	***********************************************************************/
730
731	int ads_keytab_list(const char *keytab_name)
732	{
733	krb5_error_code ret = 0;
734	krb5_context context = NULL;
735	krb5_keytab keytab = NULL;
736	krb5_kt_cursor cursor;
737	krb5_keytab_entry kt_entry;
738
739	ZERO_STRUCT(kt_entry);
740	ZERO_STRUCT(cursor);
741
742	initialize_krb5_error_table();
743	ret = krb5_init_context(&context);
744	if (ret) {
745	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
746	error_message(ret)));
747	return ret;
748	}
749
750	ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
751	if (ret) {
752	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
753	error_message(ret)));
754	goto out;
755	}
756
757	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
758	if (ret) {
759	ZERO_STRUCT(cursor);
760	goto out;
761	}
762
763	printf("Vno Type Principal\n");
764
765	while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
766
767	char *princ_s = NULL;
768	char *etype_s = NULL;
769	krb5_enctype enctype = 0;
770
771	ret = smb_krb5_unparse_name(talloc_tos(), context,
772	kt_entry.principal, &princ_s);
773	if (ret) {
774	goto out;
775	}
776
777	enctype = smb_get_enctype_from_kt_entry(&kt_entry);
778
779	ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
780	if (ret &&
781	(asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
782	TALLOC_FREE(princ_s);
783	goto out;
784	}
785
786	printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
787
788	TALLOC_FREE(princ_s);
789	SAFE_FREE(etype_s);
790
791	ret = smb_krb5_kt_free_entry(context, &kt_entry);
792	if (ret) {
793	goto out;
794	}
795	}
796
797	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
798	if (ret) {
799	goto out;
800	}
801
802	/* Ensure we don't double free. */
803	ZERO_STRUCT(kt_entry);
804	ZERO_STRUCT(cursor);
805	out:
806
807	{
808	krb5_keytab_entry zero_kt_entry;
809	ZERO_STRUCT(zero_kt_entry);
810	if (memcmp(&zero_kt_entry, &kt_entry,
811	sizeof(krb5_keytab_entry))) {
812	smb_krb5_kt_free_entry(context, &kt_entry);
813	}
814	}
815	{
816	krb5_kt_cursor zero_csr;
817	ZERO_STRUCT(zero_csr);
818	if ((memcmp(&cursor, &zero_csr,
819	sizeof(krb5_kt_cursor)) != 0) && keytab) {
820	krb5_kt_end_seq_get(context, keytab, &cursor);
821	}
822	}
823
824	if (keytab) {
825	krb5_kt_close(context, keytab);
826	}
827	if (context) {
828	krb5_free_context(context);
829	}
830	return ret;
831	}
832
833	#endif /* HAVE_KRB5 */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: